Executive Summary

CVE-2026-34955 is a high-severity sandbox escape vulnerability in the PraisonAI package affecting its SubprocessSandbox component in all modes (BASIC, STRICT, NETWORK_ISOLATED) prior to version 4.5.97.

The vulnerability occurs because SubprocessSandbox uses subprocess.run() with shell=True and relies only on a string-pattern blocklist to prevent dangerous commands. However, the blocklist does not include standalone executables like sh or bash.

This omission allows attackers to bypass the sandbox restrictions by executing commands via sh -c '<command>', effectively escaping the sandbox even in STRICT mode.

The sandbox checks command names against a blocklist but fails to block sh or bash, and the blocklist patterns can be evaded by cleverly crafted commands.

This issue has been patched in version 4.5.97 by changing the command execution method to avoid shell=True and properly parsing commands to prevent shell injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to escape the sandbox environment in PraisonAI, even when running in STRICT mode.

By bypassing the sandbox, attackers can execute arbitrary OS commands that were intended to be blocked, such as curl, wget, nc, and ssh.

This can lead to unauthorized access to the network, filesystem, and cloud metadata services, potentially compromising confidentiality, integrity, and availability of the system.

The CVSS v3.1 base score of 8.8 reflects the high impact, including high confidentiality, integrity, and availability impacts with low attack complexity and low privileges required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing if the PraisonAI SubprocessSandbox component allows execution of commands via shell escapes such as using 'sh -c' to bypass the sandbox restrictions.

A practical detection method is to run a command in STRICT sandbox mode that attempts to execute a simple shell command through 'sh -c'. For example, executing the command: sh -c 'id' inside the sandbox and observing if it returns user identity information indicates the sandbox escape vulnerability.

Since the vulnerability arises from the use of subprocess.run() with shell=True and insufficient blocking of 'sh' or 'bash', you can also check the version of PraisonAI installed. Versions prior to 4.5.97 are vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 4.5.97 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, avoid using the SubprocessSandbox in any mode, especially STRICT mode, as it does not provide effective OS-level isolation.

Additionally, review and modify the code to replace subprocess.run() calls with shell=True by using subprocess.run() with shell=False and safely parsing commands with shlex.split(). This prevents shell injection and sandbox escape.

• Upgrade PraisonAI to version 4.5.97 or later.
• Avoid using SubprocessSandbox modes until patched.
• Modify code to use subprocess.run() with shell=False and shlex.split() for command parsing.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to escape the sandbox and gain unauthorized access to the network, filesystem, and cloud metadata services by executing arbitrary commands. Such unauthorized access can lead to exposure, modification, or destruction of sensitive data.

Because of the high impact on confidentiality, integrity, and availability of data (all rated high in the CVSS), this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls to protect sensitive personal and health information.

Organizations using vulnerable versions of PraisonAI may fail to meet regulatory requirements for data security and privacy, potentially resulting in legal and financial consequences.

Useful 0 Not Useful 0